Though
the Stuxnet
cyber-attack which likely targeted Iran’s nuclear facilities may’ve begun as
early as 2009, computer security experts have only this month published their
full analysis of one of the most sophisticated and powerful computers worms
ever developed, and what industrial damage it may’ve done.

Stuxnet
is malware likely designed to infiltrate Iranian (60% of computers infected were in Iran)
industrial computers which controlled numerous automated processes in factory
production cycles. The most likely target according to most experts
consulted would be Iran’s Bushehr nuclear reactor complex, which last year was reported
by Israeli media to have been sabotaged and faced extensive production
delays. Since Bushehr is using Russian-supplied fuel not related to
centrifuges or uranium enrichment, it seems unlikely they were the goal.
But there clearly is some key industrial process likely targeted at
Bushehr and the worm may’ve either destroyed equipment or corrupted a
production cycle central to the reactor’s function.

By
all accounts. the worm is so advanced, performs so many functions, and operates
in such a complex fashion that it can only have been produced by the
intelligence agency of a sovereign nation. We can imagine which nations
would have the capacity to mount such an operation and the motivation to
sabotage Iran’s nuclear program. The CIA and Mossad (or IDF military
intelligence) spring to mind. My money is either on Israel and a shared operation
mounted in some way by both countries.

IDF
military intelligence has such a capability, Unit 8200,
which analyzes intercepted communications and performs all manner of
cyber-warfare tasks. A recent profile of the group described its operations in
some detail though didn’t deal with the question of whether 8200 may’ve been
involved in this attack. Forbes published this warm and fuzzy profile as well making 8200
out to be a real cool version of Silicon Valley.

This
military unit performs a similar role in Israeli society to that of the Silicon
Valley here. Since most Israelis serve in the army, this [8200] is where
the techno-geeks among them gravitate. And when they exit their military
service with their advanced technical training, they not only create commerical
technology start-ups, they also continue developing products for Israel’s
security apparatus. Such an 8200 alumnus founded Carmel Ventures, an Israeli venture
capital outfit which funded Yuval Tal’s Payoneer, a U.S. company providing
prepaid debit cards to its customers, who happened to be two of the Mossad
hitmen who “hit” Mahmoud al-Mabouh in Dubai.

Since
I don’t claim to be a computer security expert, but feel that Stuxnet is a very
important development not only in and of itself, but also for the impact it
will have on the Iran nuclear debate, I’m going to quote at some length from the
recent technical articles about it in industry publications. It’s really
fascinating stuff even for a layperson. Let’s start with PCWorld:

Researchers
studying the worm all agree that Stuxnet was built by a very sophisticated and
capable attacker — possibly a nation state — and it was designed to destroy
something big…some of the researchers who know Stuxnet best say that it may
have been built to sabotage Iran’s nukes.

…One
of the things that Langner discovered is that when Stuxnet finally identifies
its target, it makes changes to a piece of Siemens code called Organizational
Block 35. This Siemens component monitors critical factory operations — things
that need a response within 100 milliseconds. By messing with Operational Block
35, Stuxnet could easily cause a refinery’s centrifuge to malfunction, but it
could be used to hit other targets too, Byres said. “The only thing I can say
is that it is something designed to go bang,” he said.

…This
is not something that your run-of-the-mill hacker can pull off. Many security
researchers think that it would take the resources of a nation state to
accomplish.

It
is common for such malware to exploit a single weakness to infect a
computer or system, but Stuxnet uses four separate vulnerabilities,
which is unheard of for such worms. It also uses two forged digital
certificates, which further indicates the highly sophisticated nature of the
attack. It is important to note that Israel’s high tech industry has made
a specialty of developing digital certificates. As one of my readers who
specializes in IT wrote:

Public
and private key technology (the basis of certificates) is indeed an Israeli
computer specialty. The Weizman Institute in fact is the premier research
university for such things.

What
better country to forge a digital certificate than one whose techno hackers
specialize in creating them? When you know a technology you also know how
to exploit its weaknesses.

CNET’s
report amplifies on Langner’s findings:

“With
the forensics we now have, it is evident and provable that Stuxnet is a
directed sabotage attack involving heavy insider knowledge,” he wrote. “The
attack combines an awful lot of skills–just think about the multiple zero-day
vulnerabilities, the stolen certificates, etc. This was assembled by a highly
qualified team of experts, involving some with specific control system
expertise. This is not some hacker sitting in the basement of his parents’
house. To me, it seems that the resources needed to stage this attack point to
a nation state.”

The
Stuxnet worm is a “groundbreaking” piece of malware so devious in its use of
unpatched vulnerabilities, so sophisticated in its multipronged approach, that
the security researchers who tore it apart believe it may be the work of
state-backed professionals.

“It’s
amazing, really, the resources that went into this worm,” said Liam O Murchu,
manager of operations with Symantec’s security response team.

“I’d
call it groundbreaking,” said Roel Schouwenberg, a senior antivirus researcher
at Kaspersky Lab. In comparison, other notable attacks, like the one dubbed
Aurora that hacked Google’s network and those of dozens of other major
companies, were child’s play.

Here
they analyze in greater details the particular ways in which Stuxnet operates
and the technical ambition and complexity required to create it:

Once
within a network — initially delivered via an infected USB device — Stuxnet
used the EoP [elevation of privilege] vulnerabilities to gain
administrative access to other PCs, sought out systems running the WinCC and
PCS 7 SCADA management programs, hijacked them by exploiting either the print
spooler or MS08-067 bugs, then tried the default Siemens passwords to
commandeer the SCADA software.

They
could then reprogram the so-called PLC (programmable logic control) software to
give machinery new instructions.

On
top of all that, the attack code seemed legitimate because the people behind
Stuxnet had stolen at least two signed digital certificates.

“The
organization and sophistication to execute the entire package is extremely
impressive,” said Schouwenberg. “Whoever is behind this was on a mission to get
into whatever company or companies they were targeting.”

O
Murchu seconded that. “There are so many different types of execution needs
that it’s clear this is a team of people with varied backgrounds, from the
rootkit side to the database side to writing exploits,” he said.

The
malware, which weighed in a nearly half a megabyte — an astounding size, said
Schouwenberg — was written in multiple languages, including C, C++ and other
object-oriented languages, O Murchu added.

“And
from the SCADA side of things, which is a very specialized area, they would
have needed the actual physical hardware for testing, and [they would have had
to] know how the specific factory floor works,” said O Murchu.

“Someone
had to sit down and say, ‘I want to be able to control something on the factory
floor, I want it to spread quietly, I need to have several zero-days,’” O
Murchu continued. “And then pull together all these resources. It was a big,
big project.”

…Put
all that together, and the picture is “scary,” said O Murchu.

So
scary, so thorough was the reconnaissance, so complex the job, so sneaky the
attack, that both O Murchu or Schouwenberg believe it couldn’t be the work of
even an advanced cybercrime gang.

“I
don’t think it was a private group,” said O Murchu. “They weren’t just after
information, so a competitor is out. They wanted to reprogram the PLCs and
operate the machinery in a way unintended by the real operators. That points to
something more than industrial espionage.”

The
necessary resources, and the money to finance the attack, puts it out the realm
of a private hacking team, O Murchu said.

“This
threat was specifically targeting Iran,” he continued. “It’s unique in that it
was able to control machinery in the real world.”

“All
the different circumstances, from the multiple zero-days to stolen certificates
to its distribution, the most plausible scenario is a nation-state-backed
group,” said Schouwenberg

Let’s
step back and ask a few questions. While Stuxnet and other types of
sabotage may’ve delayed Iran’s nuclear production and research, do we really
believe that Iran’s scientists are so simple and naive that they would create
only a single track for their work? Do we really believe this will cause
any more than a temporary delay for them in developing their nuclear
technology? No matter how damaging the worm is, no matter how impressive
the technical achievement that brought it forth, it’s at best a stop-gap measure.
As such, it doesn’t get at the root issue or the root way to resolve the
problem which, once again like a broken record, I proclaim to anyone who will
listen is a negotiated diplomatic solution.

Whatever
Iran is trying to do cannot be stopped except by negotiation or war, leading to
toppling the regime and replacing it with a West-compliant one (and good luck
with that).

In
regards to the latter option, if Israel deliberately used cyber-sabotage in
order to mess with the minds and facilities of Iranian scientists, they may’ve
coupled such an operation with a more deliberate one to bomb the facilities
later. Such a two-pronged approach would make more sense from a
military-intelligence perspective than simply messing up the production
schedule of Bushehr for a year. But again, what do I know, I’m only
speculating. Educated speculation by someone who has studied such minds
at work for some time–but speculation nonetheless.